add mobi and it works

2022-09-23 20:29:18 +02:00 · 2022-09-23 20:29:18 +02:00 · f771aa24bf
parent 9964d154d4
commit f771aa24bf
23 changed files with 278 additions and 146 deletions
--- a/flake.lock
+++ b/flake.lock
@ -3,7 +3,7 @@
    "barcode-reader": {
      "inputs": {
        "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1636602745,
@ -38,16 +38,18 @@
      "inputs": {
        "flake-compat": "flake-compat",
        "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
        "stable": "stable",
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1661669123,
-        "narHash": "sha256-nXslD8Sbs6G9/MN7HOr+YrBCCmUdS/MpEuxJGlWeSgM=",
+        "lastModified": 1663742427,
+        "narHash": "sha256-1gcXLVbZRVbRfNo6bHemNxdnEBgs6W0QPw675/uso3w=",
        "owner": "zhaofengli",
        "repo": "colmena",
-        "rev": "e7356e2c5cbc19be6e04d284c943b24bbde81a9b",
+        "rev": "a8e6b999cfec9fadc2ca81994da44182e73be7eb",
        "type": "github"
      },
      "original": {
@ -546,16 +548,15 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1660485612,
-        "narHash": "sha256-sSLW1KaB1adKTJn9+Ja3h3AaS7QCZyhUKiSUStcLg80=",
-        "owner": "NixOS",
+        "lastModified": 1636416043,
+        "narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=",
+        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "6512b21eabb4d52e87ea2edcf31a288e67b2e4f8",
+        "rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "owner": "nixos",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -615,21 +616,6 @@
      }
    },
    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1636416043,
-        "narHash": "sha256-Esz9X97OeAsNoJUVuqlCu2LDWcyLE24huUonhOY3JGw=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "db6044d5debaff0749420c3553d1b89fc6c5c5f8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
      "locked": {
        "lastModified": 1661700591,
        "narHash": "sha256-NZa+z+TJC+Hk+87+LKkjFFmBn4GyMVEPcWFXFU+aTkU=",
@ -645,7 +631,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1632855891,
        "narHash": "sha256-crW76mt9/kbUBiKy/KiSnsQ9JEYgD3StDuYAMVkTbM0=",
@ -659,7 +645,7 @@
        "type": "indirect"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_4": {
      "locked": {
        "lastModified": 1661353537,
        "narHash": "sha256-1E2IGPajOsrkR49mM5h55OtYnU0dGyre6gl60NXKITE=",
@ -774,7 +760,7 @@
    "polygon-art": {
      "inputs": {
        "flake-utils": "flake-utils_6",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1632864714,
@ -833,7 +819,7 @@
        "home-manager": "home-manager",
        "home-manager-utils": "home-manager-utils",
        "krops": "krops",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-fmt": "nixpkgs-fmt",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "polygon-art": "polygon-art",
@ -878,11 +864,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1663688404,
-        "narHash": "sha256-eGKtvyakb/6jncb5oQXa0c6usLvQ8DMDjr5LtBbpdzY=",
+        "lastModified": 1663876023,
+        "narHash": "sha256-esUjNxIvrKZXukSbZbre4l5nS++Iqhc19LGHcizHEk4=",
        "ref": "main",
-        "rev": "43bc5b41992e585f8b02a18c66b478fd165ed817",
-        "revCount": 36,
+        "rev": "6b43a1b2f4ba34f684614d15f54e68d88eea2612",
+        "revCount": 38,
        "type": "git",
        "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
      },
@ -910,7 +896,7 @@
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_4",
        "nixpkgs-22_05": "nixpkgs-22_05"
      },
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -14,7 +14,10 @@
    };
    # colmena
    # -------
-    colmena.url = "github:zhaofengli/colmena";
+    colmena = {
+      url = "github:zhaofengli/colmena";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    polygon-art = {
      url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
@ -157,7 +160,7 @@
          sterni = { name, nodes, pkgs, ... }: {
            deployment.allowLocalDeployment = true;
            deployment.targetHost = "${name}.private";
-            deployment.tags = [ "desktop" "online" ];
+            deployment.tags = [ "desktop" "online" "private" ];
            imports = [
              grocy-scanner.nixosModule
            ];
@ -186,7 +189,7 @@

          pepe = { name, nodes, pkgs, ... }: {
            deployment.targetHost = "${name}.private";
-            deployment.tags = [ "server" "online" ];
+            deployment.tags = [ "server" "online" "private" ];
            imports = [
              grocy-scanner.nixosModule
            ];
@ -194,10 +197,22 @@

          robi = { name, nodes, pkgs, ... }: {
            deployment.targetHost = "${name}";
-            deployment.tags = [ "server" "online" ];
+            deployment.tags = [ "server" "online" "private" ];
            imports = [ ];
          };
-
+          mobi = { name, nodes, pkgs, ... }: {
+            deployment.targetHost = "${name}.private";
+            deployment.tags = [ "desktop" "usb" "private" ];
+            imports = [
+              grocy-scanner.nixosModule
+            ];
+            home-manager.users.mainUser = {
+              imports = [
+                doom-emacs-nix.hmModule
+                home-manager-utils.hmModule
+              ];
+            };
+          };
        };
    };
 }
--- a/images/lib/remote-access.nix
+++ b/images/lib/remote-access.nix
@ -97,16 +97,19 @@
      config =
        let
          torDirectory = "/var/lib/tor";
-          hiddenServiceDir = torDirectory + "/liveos";
+          hiddenServiceDir = torDirectory + "/onion/hidden-ssh";
        in
        {
          services.tor = {
            enable = true;
            client.enable = true;
-            extraConfig = ''
-              HiddenServiceDir ${hiddenServiceDir}
-              HiddenServicePort 22 127.0.0.1:22
-            '';
+            relay.onionServices.hidden-ssh = {
+              version = 3;
+              map = [{
+                port = 22;
+                target.port = 22;
+              }];
+            };
          };
          systemd.services.hidden-ssh-announce = {
            description = "irc announce hidden ssh";
--- a/nixos/assets/ssh/palo_rsa.pub
+++ b/nixos/assets/ssh/palo_rsa.pub
--- a/nixos/assets/tinc/mobi_host_file
+++ b/nixos/assets/tinc/mobi_host_file
@ -1,14 +1,14 @@
-Ed25519PublicKey = 94CccmfAuNtQzopd5NiVYjTjZvSgabMh66BI/iyVmnJ
+Ed25519PublicKey = X5sp3YYevVNUrzYvi+HZ2iW5WbO0bIb58jR4jZFH6MB
 -----BEGIN RSA PUBLIC KEY-----
-MIICCgKCAgEA8m9cBRv+9K8ywH19CZKDidwmzEa+2j3rkFjek+uPLVCHX5FlVQv+
-flX5fY06DuaPzWKf4MoXHxmVa9T/WOcKZJUmhSJC2AVorhuPihOx0FNrQr69bamy
-x03fiH0pHmDXumNdGMUcNf+06Zu2Nr9yze8rE1B97zb0RPBf+XC1uHw4E4PrWC/F
-swibj9U45bp07wFvJrkAsngw4c6+TFERW6TK5DPKDQs7KfgdsqFGLvg2cY5phwC1
-08HBC7eTf2xG6paaS7gEbhDMQ/K47Lbhbv2srnYfaBw5iyc8f29ZwEuNfE4V15B3
-foz/kGAhceTuBKNCVvKvqSIL2yEsibFVyl7zlgGp3EKWuR5ETQAspJViGILwiyq6
-iRYQ1AxxyroqS146CUAB8/68w0PwroKt8lXMEtx58S7/OAW0KnXGxwqSfocH+iE4
-qry9pPuSs7RR6lXBB0nvSfTbaZDMUXtiyV24+pyZgl5Q31kDgUWgFpzGRBc/CTO2
-h8OmUcvEyLxh3bruu0SQGXa35G1Igsumuh/uLifgHB/odLYY00PhEdpp52BswgXe
-yz88nfXMOyvm7ROEyA7r2qruM1kEHDSQ8IRuxhd8YebyI7k6mYVE8CR5T89QfVl3
-mrNk+f6Q/cpFiNBxr7+UBCiHix3/GDAD4NEgvu5nfqinTA34FuscTS8CAwEAAQ==
+MIICCgKCAgEAxubIDrvtrZ6fKPkuwQ+sK6YlToTfVtg3HCTOR7iDf47arkuG3dTb
+BgnkbB/8+KzztaYLQoLnGFugxKKtMGBvMGCo6YLtxrjuaz3aDmhpmGCJh80r80/i
+8WWg1CAkboKHmaiFpS/LBxAWQUGP+YJSoTLuDwtd794wX9MxLh4x5uGRp4rCj9+4
+DdGemLZkZz6Je+cBkf8qrw1Dr8CPiJk47a7bZhyKVnQ3PyvrGOjFolfcI22xp8j3
+7y55DIMWhVsm6EWFK4/pzAqi9JdRd7xy8c9WRIcAHJDlSdf+ERbIjUDJC8fgMlNl
+UII0SqLnBscIbqz2dMuoldeqg9S1fOiTekReLJqpLmAIn+iwpT8KW5QaESu2eh6M
+Ok0sJ8A+aphuZ+FDd2FUmWQiENnPzFGYQ/SuNAA7hR5plSCbjpodulNQFY93I8y3
+vRru6rm/ac+7SehWPBgHGl12UJluvHn32Q85bJ2vdtn9ONgcOdjSLA58nzfc1hv/
+OA5MzIJTvDJqwjZew8A/pyz6kxrGBqnXCzzt46tvj0yZ/VhIgL3qDTR/wzRV3N14
+3Z7TToIQKBPSYNxxCEHXxVQb8oWdGzeE7X52iFeYKhxj+ikZxkoXhCgIRYrDBQ0k
+lnpJU+fbeFddZ4bAdqPxVT+perK33Wzgp9s4+KLh8ldpcRm8S29sNIcCAwEAAQ==
 -----END RSA PUBLIC KEY-----
--- a/nixos/machines/mobi/configuration.nix
+++ b/nixos/machines/mobi/configuration.nix
@ -2,19 +2,26 @@

  imports = [

-    <system/desktop>
+    ../../system/desktop
    ./hardware-configuration.nix
    ./tinc.nix
+    ./syncthing.nix

  ];

-  system.custom.wifi.interfaces = [ ];
-
-  networking.hostName = "mobi";
-
  security.wrappers = {
-    pmount.source = "${pkgs.pmount}/bin/pmount";
-    pumount.source = "${pkgs.pmount}/bin/pumount";
+    pmount = {
+      source = "${pkgs.pmount}/bin/pmount";
+      setuid = true;
+      owner = "root";
+      group = "root";
+    };
+    pumount = {
+      source = "${pkgs.pmount}/bin/pumount";
+      setuid = true;
+      owner = "root";
+      group = "root";
+    };
  };

  # fonts
@ -28,5 +35,46 @@
    height = 768;
  };

+  # grub configuraton
+  # -----------------
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.tmpOnTmpfs = true;
+
+  networking.networkmanager.enable = true;
+  networking.hostName = "mobi";
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    silver-searcher
+  ];
+
+  environment.extraInit = ''
+    # use vi shortcuts
+    # ----------------
+    set -o vi
+    EDITOR=vim
+  '';
+
+  services.openssh.enable = true;
+  desktop.ssh.onlyTinc = false;
+
+  users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.05"; # Did you read the comment?
+
 }

--- a/nixos/machines/mobi/hardware-configuration.nix
+++ b/nixos/machines/mobi/hardware-configuration.nix
@ -1,58 +1,47 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, modulesPath, ... }:

 {
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];

-  boot.initrd.availableKernelModules =
-    [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  # efi boot loader configuration using grub
-  boot.loader.efi.canTouchEfiVariables = false;
-  boot.loader.grub = {
-    device = "nodev";
-    efiInstallAsRemovable = true;
-    efiSupport = true;
-    enable = true;
-    version = 2;
-  };
-
-  fileSystems."/share/" = {
-    device = "/dev/ram1";
-    fsType = "tmpfs";
-  };
-
-  # NTFS support
-  # ------------
-  environment.systemPackages = [ pkgs.ntfs3g ];
-
-  # lvm volume group
-  # ----------------
-  boot.initrd.luks.devices = {
-    mobi = {
-      device = "/dev/disk/by-uuid/e138095f-c703-4dea-bb1c-bf888b8e1b81";
-      preLVM = true;
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/978cfc56-b47d-4d94-adae-18a4209519a5";
+      fsType = "ext4";
    };
-  };

-  # root
-  # ----
-  fileSystems."/" = {
-    options = [ "noatime" "nodiratime" "discard" ];
-    device = "/dev/mobi/root";
-    fsType = "ext4";
-  };
+  boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/cf30f4a6-578e-418a-9d18-d32fbf992b0c";

-  # boot
-  # ----
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/064D-3144";
-    fsType = "vfat";
-  };
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/AEE5-221F";
+      fsType = "vfat";
+    };

+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
+  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nixos/machines/mobi/syncthing.nix
+++ b/nixos/machines/mobi/syncthing.nix
@ -0,0 +1,42 @@
+{ config, pkgs, lib, ... }: {
+
+  #sops.secrets.syncthing_cert = { };
+  #sops.secrets.syncthing_key = { };
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = false;
+    user = "palo";
+    dataDir = "/home/palo/.syncthing";
+    configDir = "/home/palo/.syncthing";
+    #cert = toString config.sops.secrets.syncthing_cert.path;
+    #key = toString config.sops.secrets.syncthing_key.path;
+    overrideFolders = true;
+    folders = {
+
+      # on encrypted drive
+      # ------------------
+      private = {
+        enable = true;
+        path = "/home/palo/private";
+      };
+      desktop = {
+        enable = true;
+        path = "/home/palo/desktop";
+      };
+      finance = {
+        enable = true;
+        path = "/home/palo/finance";
+      };
+      password-store = {
+        enable = true;
+        path = "/home/palo/.password-store";
+      };
+    };
+  };
+
+  system.permown."/home/palo/music-library" = {
+    owner = "palo";
+    group = "users";
+  };
+}
--- a/nixos/machines/pepe/borg.nix
+++ b/nixos/machines/pepe/borg.nix
@ -8,7 +8,7 @@
      authorizedKeys = [
        # todo rename
        (lib.fileContents ../../assets/ssh/borg_access.pub)
-        (lib.fileContents ../../assets/ssh/card_rsa.pub)
+        (lib.fileContents ../../assets/ssh/palo_rsa.pub)
      ];
    };
  };
--- a/nixos/machines/pepe/syncthing.nix
+++ b/nixos/machines/pepe/syncthing.nix
@ -43,6 +43,10 @@
        enable = true;
        path = "/home/syncthing/private";
      };
+      password-store = {
+        enable = true;
+        path = "/home/syncthing/password-store";
+      };
      desktop = {
        enable = true;
        path = "/home/syncthing/desktop";
--- a/nixos/machines/robi/borg.nix
+++ b/nixos/machines/robi/borg.nix
@ -6,7 +6,7 @@
      allowSubRepos = true;
      authorizedKeys = [
        (lib.fileContents ../../assets/ssh/borg_access.pub)
-        (lib.fileContents ../../assets/ssh/card_rsa.pub)
+        (lib.fileContents ../../assets/ssh/palo_rsa.pub)
      ];
    };
  };
--- a/nixos/machines/robi/nginx.nix
+++ b/nixos/machines/robi/nginx.nix
@ -53,27 +53,28 @@ in
            alias = pkgs.writeText "key" (lib.fileContents ../../assets/pgp.key);
          };
          "= /palo_rsa.pub" = {
-            alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/card_rsa.pub);
+            alias = pkgs.writeText "key" (lib.fileContents ../../assets/ssh/palo_rsa.pub);
          };
        } // error.locations;
      };

-      "stable-diffusion.ingolf-wagner.de" = {
-        forceSSL = true;
-        enableACME = true;
-        extraConfig = error.extraConfig;
-        root = "/srv/www/stable-diffusion";
-        locations = {
-          "/model-v1-4.ckpt" = {
-            basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
-            tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
-          };
-          #"/model-v1-3.ckpt" = {
-          #  basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
-          #  tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt";
-          #};
-        } // error.locations;
-      };
+      # "stable-diffusion.ingolf-wagner.de" = {
+      #   forceSSL = true;
+      #   enableACME = true;
+      #   extraConfig = error.extraConfig;
+      #   root = "/srv/www/stable-diffusion";
+      #   locations = {
+      #     "/model-v1-4.ckpt" = {
+      #       basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
+      #       tryFiles = "/stable-diffusion-v-1-4-original/sd-v1-4.ckpt =404";
+      #     };
+      #     #"/model-v1-3.ckpt" = {
+      #     #  basicAuthFile = "${private_assets}/stable-diffusion-htpasswd";
+      #     #  tryFiles = "stable-diffusion-v-1-3-original/sd-v1-3.ckpt";
+      #     #};
+      #   } // error.locations;
+      # };
+
      "travel.ingolf-wagner.de" = {
        forceSSL = true;
        enableACME = true;
--- a/nixos/machines/sterni/configuration.nix
+++ b/nixos/machines/sterni/configuration.nix
@ -12,11 +12,14 @@
    #./wifi-access-point.nix
    #./wireshark.nix
    ./scanner.nix
+    ./qemu.nix

  ];

+
  services.nginx.enable = true;

+
  #sops.defaultSopsFile = ../../secrets/sterni.yaml;
  networking.hostName = "sterni";

--- a/nixos/machines/sterni/qemu.nix
+++ b/nixos/machines/sterni/qemu.nix
@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  virtualisation.libvirtd.enable = true;
+  #virtualisation.libvirtd.allowedBridges = ["virbr0"];
+  virtualisation.libvirtd.onShutdown = "shutdown";
+
+  environment.systemPackages = [
+    pkgs.qemu_kvm
+    pkgs.virt-manager
+  ];
+
+  users.users.mainUser.extraGroups = [ "libvirtd" ];
+
+
+}
--- a/nixos/machines/sterni/syncthing.nix
+++ b/nixos/machines/sterni/syncthing.nix
@ -16,6 +16,10 @@

      # on encrypted drive
      # ------------------
+      password-store = {
+        enable = true;
+        path = "/home/palo/.password-store";
+      };
      private = {
        enable = true;
        path = "/home/palo/private";
--- a/nixos/modules/system/audio.nix
+++ b/nixos/modules/system/audio.nix
@ -104,7 +104,7 @@ in
      enable = true;
      package = pkgs.pulseaudioFull;
      # all in audio group can do audio
-      systemWide = true;
+      systemWide = false;
      extraConfig = ''
        # automatically switch to newly-connected devices
        load-module module-switch-on-connect
--- a/nixos/system/all/borg-scripts.nix
+++ b/nixos/system/all/borg-scripts.nix
@ -7,7 +7,7 @@
          "borg-${command}-on-${host}-for-${repository}" ''
          ${pkgs.borgbackup}/bin/borg \
            ${command} \
-            --rsh='ssh -i ~/.ssh/card_rsa.pub' borg@${host}.private:${repository}/. \
+            --rsh='ssh -i ~/.ssh/palo_rsa.pub' borg@${host}.private:${repository}/. \
            "$@"
        '';
      hosts = [ "pepe" "robi" ];
--- a/nixos/system/all/sshd-known-hosts-private.nix
+++ b/nixos/system/all/sshd-known-hosts-private.nix
@ -36,7 +36,7 @@
        config.module.cluster.services.tinc.private.hosts.sterni.tincIp
        config.module.cluster.services.tinc.secret.hosts.sterni.tincIp
      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyHmHJy2Va45p9mn+Hj3DyaY5yxnQIKvXeACHjzgSKt";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEQRH4gzT4vWSx3KN80ePPYhSPZRUae/qSyEym6pJTht";
    };
    "pepe.private" = {
      hostNames = [
@ -51,7 +51,7 @@
        "mobi.private"
        config.module.cluster.services.tinc.private.hosts.mobi.tincIp
      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhBtcipW9rV6hHS2hv5tl5hd8vW8dnuFfFwnAs2u0kS";
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE3G7TwCoxcVfwhGL0913RtacEeokqKtufhzzkCxpPxk";
    };
  };
 }
--- a/nixos/system/all/sshd.nix
+++ b/nixos/system/all/sshd.nix
@ -11,7 +11,7 @@ with lib;
    tools.enable = true;
    sshd = {
      enable = true;
-      rootKeyFiles = [ (toString ../../assets/ssh/card_rsa.pub) ];
+      rootKeyFiles = [ (toString ../../assets/ssh/palo_rsa.pub) ];
    };
  };

--- a/nixos/system/all/syncthing.nix
+++ b/nixos/system/all/syncthing.nix
@ -25,11 +25,11 @@ with lib; {
      // (device "workhorse" "AFSAKB6-JLH4QAS-DSRMPI3-6PVCIHF-IIAVLPC-STPNO3Y-YRDU5NW-QD445QI")
      // (device "pepe" "SZLXFW3-VTAC7UB-V2Z7CHE-3VZAYPL-6D72AK6-OCDMPZP-G4FPY5P-FL6ZVAG")
      // (device "sterni" "ZFNNKPD-ZSOAYJQ-VROXXDB-5MD3UTJ-GDCNTSQ-G5POVV3-UZG5HFT-CCAU3AD")
+      // (device "mobi" "NGI7UN6-MR2YPYI-L7DGN3I-JFZU2N3-RJBJV6K-2VZVQSJ-PWLZYOK-PXZYRAF")
      // {
        bumba = {
          name = "windows-bumba";
          id = "JS7PWTO-VKFGBUP-GNFLSWP-MGFJ2KH-HLO2LKW-V3RPCR6-PCB5SQC-42FCKQZ";
-          #addresses = [ "dynamic" ];
        };
      }
      // {
@ -47,7 +47,16 @@ with lib; {
      private = {
        enable = lib.mkDefault false;
        watch = lib.mkDefault false;
-        devices = [ "pepe" "sterni" ];
+        devices = [ "pepe" "sterni" "mobi" ];
+        versioning = {
+          type = "simple";
+          params.keep = "10";
+        };
+      };
+      password-store = {
+        enable = lib.mkDefault false;
+        watch = lib.mkDefault false;
+        devices = [ "pepe" "sterni" "mobi" ];
        versioning = {
          type = "simple";
          params.keep = "10";
@ -56,12 +65,12 @@ with lib; {
      desktop = {
        enable = lib.mkDefault false;
        watch = lib.mkDefault false;
-        devices = [ "pepe" "sterni" ];
+        devices = [ "pepe" "sterni" "mobi" ];
      };
      finance = {
        enable = lib.mkDefault false;
        watch = lib.mkDefault false;
-        devices = [ "pepe" "sterni" ];
+        devices = [ "pepe" "sterni" "mobi" ];
        versioning = {
          type = "simple";
          params.keep = "10";
--- a/nixos/system/desktop/home-manager.nix
+++ b/nixos/system/desktop/home-manager.nix
@ -84,13 +84,13 @@ in
    };

    home.git-pull = {
-      enable = mkDefault true;
+      enable = mkDefault false;
      repositories = [
        # krebs
-        {
-          source = "git@github.com:krebs/stockholm.git";
-          target = "~/dev/krebs/stockholm";
-        }
+        #{
+        #  source = "git@github.com:krebs/stockholm.git";
+        #  target = "~/dev/krebs/stockholm";
+        #}
        {
          source = "git@github.com:krebs/rc3-map.git";
          target = "~/dev/krebs/rc3-map";
--- a/nixos/system/desktop/home-manager/ssh.nix
+++ b/nixos/system/desktop/home-manager/ssh.nix
@ -5,7 +5,7 @@ with lib; {
    programs.ssh.enable = true;
    programs.ssh.matchBlocks = {
      "*" = {
-        identityFile = "~/.ssh/card_rsa.pub";
+        identityFile = "~/.ssh/palo_rsa.pub";
        identitiesOnly = true;
      };
      "lassul.us" = {
--- a/nixos/system/desktop/sshd.nix
+++ b/nixos/system/desktop/sshd.nix
@ -1,6 +1,17 @@
-{ config, ... }: {
-  # make sure ssh is only available trough the tinc
-  networking.firewall.extraCommands = ''
-    iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
-  '';
+{ config, lib, ... }:
+with lib;
+let cfg = config.desktop.ssh.onlyTinc;
+in {
+  options.desktop.ssh.onlyTinc = mkOption {
+    type = with types; bool;
+    default = true;
+    description = ''
+      make sure ssh is only available trough the tinc
+    '';
+  };
+  config = mkIf cfg {
+    networking.firewall.extraCommands = ''
+      iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
+    '';
+  };
 }